Cyber criminals have launched a phishing attack on nearly 4,000 BetterSure home insurance clients, but the bank says its firewall and e-mail security system immediately picked up on the threat.
On Friday, using a phishing e-mail, the attackers gained access to an internal e-mail account of a BetterSure administration employee. Through this account the hackers then targeted 3,500 of the company’s clients using a similar phishing e-mail.
Phishing e-mails, which contain malicious software, are disguised to look like e-mails from legitimate businesses, and are used by criminals to con prospective victims into divulging personal information such as login details and passwords for bank and retail accounts.
BetterSure is part of the BetterLife Group, which includes the home-loan subsidiary BetterBond. BetterSure provides cover for homeowners and building insurance.
The company insists that none of its client’s personal data has been compromised
The BetterSure attack follows the leaking in May of the personal data of 24 million South Africans by staff working for the global credit bureau giant, Experian.
Nearly 800,000 businesses were affected by the Experian breach.
The Information Regulator launched its own forensic investigation into the Experian leak after that data was found on various internet sites. This was after Experian insisted that it had secured all of its clients’ details.
Information Regulator chairperson, advocate Pansy Tlakula, said they had yet to be informed of the BetterSure incident.
“Whether it was a cyber attack or an accidental leak, this is serious. This is one of dozens of cyber security incidents to have occurred since June,” she said.
“From 20 June to date there have been 25 personal data cyber security breaches. It is highly concerning, especially as these breaches are increasing.
“We are yet to do an analysis of all the security breaches. Some could be full-on attacks on company IT systems, while others could have occurred because of employee lapses in regards to IT security system protocols.”
Whether it was a cyber attack or an accidental leak, this is serious.
— Information Regulator chairperson Pansy Tlakula
On Friday, BetterBond chief executive Carl Coetzee sent an e-mail warning clients to be aware of a phishing attack.
The e-mail says the company is aware “of an ongoing phishing attack that is doing the rounds”.
“Please be extra vigilant at this time. We have reason to believe that the fraudsters may have gained access to one of our Admin e-mail addresses, and are impersonating SARS employees.”
Coetzee warns clients to be aware of e-mails coming from cessionadmin@betterbond.co.za, with the subject line “Letter of Demand”.
“Please delete it immediately and remove it from your deleted Items folder. Do not open it and do not click on any links that it may contain. This is the safest way of dealing with the threat,” he wrote.
The company had put precautions in place “to make sure the attack does not succeed”.
“We are merely alerting you as part of our all-round safety protocols, but you can help stop the attack in its tracks by removing the message without delay.”
Sunday Times Daily has seen a copy of the phishing e-mail, which bears the BetterBond logo and is written by a purported SARS staffer within the Receiver’s non-existent Accounts Forensic Unit.
The e-mail, which contains an attachment and a link to the apparent letter of demand, states: “Dear Taxpayer, SARS have issued below a Letter of Demand which requires your urgent attention. COURT SUMMONS AND BLACKLISTING Imminent: If this is not attended to within the next 24hours. Attached is the Letter of Demand sent online from SARS.
“Kindly Download and View. For any queries on the above, please contact us using the number provided on the top right corner of above letter of demand. [sic].”
Declining to respond to detailed questions, BetterBond group marketing manager Franki Robinson confirmed the phishing attack had occurred on Friday.
“We have not notified the authorities of this attack as no client information was accessed.
“We have a home insurance offering called BetterSure that we currently promote to our BetterBond clients. It is a subset of these customers that would have received the phishing e-mail.
“The phishing e-mail was received by approximately 3,500 clients within the insurance business. Our BetterBond client base was not affected by this attack.”
We have not notified the authorities of this attack as no client information was accessed.
— BetterBond group marketing manager, Franki Robinson
She said the online safety of their clients was paramount.
“The intention of the [Coetzee] e-mail was to immediately make our clients that received the phishing e-mail aware of the potential threat.
“This mitigating step is also in line with our company policy. We are not aware of any clients that were affected by the attack and no client data was accessed.”
She said all “that was compromised was a single e-mail address belonging to one of our staff members who followed the phishing link.
“The person behind the phishing attack then used that e-mail address to send out the phishing e-mail. Our firewall and e-mail security system immediately picked up that this was a phishing threat, at which point we changed the staff members’ credentials making their e-mail account inaccessible to the perpetrator.”
Robinson said phishing attacks had been on the rise since the Covid-19 pandemic began.
“As these attacks become more sophisticated, we adapt our security measures to ensure that our staff and clients are not affected.
“We do not want to publish the security measures taken to mitigate these risks, as it exposes our methods to individuals wanting to perpetrate these phishing attacks.”
Weakest links
Cyber security expert Jacques van Heerden said phishing attacks were very common.
“Employees are always the weakest link. If they are not aware of their company’s security protocols they often click on links, unaware that they are exposing the business to cyber criminals.
“An administration employee is the crown jewel for hackers because of the access that they have to a company databases.”
He said that depending on the their motive, hackers could either just collect the information or, if they were more sinister, install “back doors” in IT systems which gave them access to databases and clients’ information at a later stage.
“Phishing attacks often precede ransomware attacks, which is where hackers hold companies’ sensitive data for ransom.”
On the BetterSure breach, Van Heerden questioned whether the malicious software that targeted the company’s clients’ e-mail addresses was merely collecting information on e-mails.
“Given it was an administrator’s e-mail that was targeted it’s possible that other malicious software could have been planted on the organisation’s IT systems.”
Tlakula said they had heard nothing from BetterBond.
“We will be making enquiries.”
Speaking about the Experian leak, she said they had received an interim report from a cyber security expert they had hired to review Experian’s own forensic report.
“Experian has provided the investigator with the information he requested. The investigator’s analysis of the information is at an advanced stage.”
She said Experian had also provided the Regulator with copies of the notifications it had sent to its clients whose financial information had been breached.
“We are still unsure whether any Experian clients have suffered any losses from the theft of their personal data.”
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.